[unisog] New Virus?

Marc Jimenez mjimenez at net.tufts.edu
Wed Sep 10 19:57:25 GMT 2003

Hi Stephanie,
	We've been dealing with precisely this for several days now.
	It's called AGOBOT.AB by Trend.


	We got definitions from Trend yesterday late afternoon.


Marc Jimenez
Network Engineering
Tufts University

"Read all instructions before applying adhesive."
-Large Print on Lid of Bucket; words to live by.

"Diplomacy" is saying "nice doggy" until you can find a big rock.

On Wed, 10 Sep 2003, Stephanie Hagopian wrote:

> Our campus has seen a unique virus that displays the same symptoms as
> two viruses already in existence (Gaobot.AA and Sdbot.N) but this one
> doesn't show up in the latest virus definitions. Evidence has already
> been submitted to Symantec from our office for forensics.
> Please let me know if anyone else has seen signs of this:
> -heavy Netbios scanning, port 445 (mostly) but also 135 seen as well
> -could be confused with Welchia:
> The attackers may have used the same RPC vulnerability to infect the
> victims.
> - The victims connect to an IRC server and begin issuing DDOS commands
> using spoofed IPs.
> -exploits weak or absent Admin passwords/shares
> -floods network with spoofed IP packets (RFC1918 source IP addresses):
> The worm attempts to spread to non-existent IP addresses in the same
> subnet. This causes a lot of network disruption.
> On machine, look for:
> 1. C:\WINNT\System32 and delete
> -scvhost.exe (rather than normal svchost.exe)
> -winhlpp32.exe
> 2. Task Manager reveals scvhost.exe, stop process
> 3. Go to registery and look for the following keys:
> Look for "ConfigLoader---scvhost.exe" and delete both keys
> 4. all machines I saw were running Win2K and also were infected with
> Welchia or had Welchia a few weeks ago and had the worm recently cleaned
> off--thus why I think this exploits the same vulnerability as Welchia.
> All the machines I've seen had the latest virus definitions and the
> latest hotfixes but were still found to have this.
> --
> Stephanie A. Hagopian
> IT Security Analyst
> University of North Carolina-Chapel Hill
> 105 Abernethy Hall
> https://www.unc.edu/security/staff/shagopia

More information about the unisog mailing list